Citrix Provisioning & Webroot

We're implementing/still testing a virtual desktop infrastructure using Citrix XenDesktop 7.6 running atop VMware vSphere 5.5. The environment is built, support servers running, etc. and we're working on master image deployment via Citrix PVS, but we're running into trouble when it comes to WSA installations. According to the documentation, running WSA is supported within the virtual environment, either using the -clone or -uniquedevice commandline option. We're building WSA into our master image and we've tried it both ways (used both command line options), but when we provision our virtual machines, we don't see those registering within the Webroot Admin Console. When we used -uniquedevice, we saw 1 provisioned VM register in the console but with continual refreshes, that same instance in the Admin Console would change names, our assumption was that we were seeing the last provisioned VM to check in. When we used -clone, to be honest I'm not exactly sure what we're seeing. I think I see 1 device register, but it attaches a random series on numbers on name.

Can anyone provide some assistance or at least a direction to look in? TIA

18 replies

It is not possible to deploy Webroot with the image. Webroot uses the SID to repot to the console and it will not fix itself after sysprep. So you need to sysprep machines before deploying Webroot (ie: after the imaging).

For virtural machines that get provisioned every time on login you need to use "-uniquedevice" or you will likely get a new instance every time the machine loads up.

Let me know if you have futher questions or need futher calrification.

Further digging does indeed show that my provisioned images have the same computer SID, which is causing WSA issues in the console. I know you mention using Sysprep, but everything we've been reading says that you shouldn't use Sysprep if you using Citrix PVS, so we're left wondering how we should proceed...

I'm not super familiar with provisioning virtural envrioments. My experience wih Webroot though tells me that the -uniquedevice switch will resolve the issue with not syspreping the VM deployment. The process I'd suggest is deploy image the VM and install Webroot with -uniquedevice after the imaging.

@ wrote:
I'm not super familiar with provisioning virtural envrioments. My experience wih Webroot though tells me that the -uniquedevice switch will resolve the issue with not syspreping the VM deployment. The process I'd suggest is deploy image the VM and install Webroot with -uniquedevice after the imaging.

We ended up trying that yesterday with no success. Our basic process:

- build a master image
- use Citrix provisioning target agent to build a vDisk
- deploy given number of VMs, all booting form the target vDisk
- install Webroot to the vDisk using -uniquedevice
- ensure newly created VMs are booting from the vDisk that Webroot was installed on

The end result is the same - the Webroot console will see the last VM that checked in prior to loading the console page. The hostname will typically change upon a refresh.

Same result after installing WSA with no switches. No matter the number of machines that were provisioned, the Webroot admin console sees only one. Using "psgetsid" from PStools, the SID is the same across all provisioned VMs. In reading Citrix documentation, that appears to be normal behavior.

Can Webroot verify that WSA uses the computer SID to check in with the admin console? (this would be the SID that is identified by using the "psgetsid" tool from PStools). If so, that's going to be a big problem.

Was this issue resolved ?
We´re planning a similar installation.
All I got from support was to use the -clone paramater when installing. But as I understand it that doesn´t really solve the issue ?

Also are you running webroot on the provisioning hosts ? If so how is the performance any issues ? Wich policy settings do you use ?
I´ve opened a ticket but support doesn´t seems to understand wich citrix product I asked about all I got was a link to this:http://download.webroot.com/Citrix/Citrix.pdf
Wich I believe doesn´t really apply.

No, this issue is still present. After further investigation the current workaround is to deploy Webroot on boot using group policy or another deployment solution. This causes a new instance of the machine to show up in the console every time the VM boots from the master image. You can deploy Webroot to a special group in the console for these VM's to keep them separate from the others by using the /group= deployment switch, more info can be found on the Deployment Guide.

Because of this issue I have created a user story for development to investigate. What I proposed is to generate the back end identifiers based off the Microsoft SID (which should be the same for all the VM's, since they are booting from the master image) and the hostname of the VM instance. This should mean that each time the VM boots from the master image it should sync up with the correct back end identifiers. Please correct me if I'm wrong about the SID or the hostnames, I'm no expert in VDI environments.

I´ve checked with our citrix professional and you´re on the right track with the proposed fix according to him.

Regarding installing webroot on the provisioning host it self. Do you have any experience ? I don´t feel confortable just installing it and hoping for the best, since this could potentialy make the guest systems crash.
Here is citrix best practices for running antivirus on the host:http://support.citrix.com/article/ctx124185

We have the same problem. We have installed WebRoot on our Citrix Provisioning image with -uniquedevice.
But it looks like we only get 1 device in the WebRoot admin console.
Do you have a update on the fix?

I just wanted to chime in here as this thread pops up from time to time, the original poster managed to find a solution for his environment by having Webroot installed everytime a user logs into a virtual desktop. In this case it was without either of the clone or uniquedevice command line arguments. The customers endpoints fill the same record instance each day and so the Webroot management console does not have overlapping records, or a new record for each end user each day. These are the two most common symptoms of an incorrect provisiong / virtualisation deployment with SecueAnywhere.

Our development team are continuously looking into how best to identify endpoints within our console as the landscape changes, ie more and more virtualisation or OS migration such as to Windows 10.

In general the golden rule for provisioning from golden images (pun intended) is to not install Webroot on them, but to install Webroot as users log into their desktops. We most often see success with the uniquedevice switch, but as this customers experience points out, each environment is different and might require some trial and investigation to find the best solution.

Cookie policy

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.